[CRUC-8163] Missing permission check in review coverage REST endpoint - CVE-2017-18035 - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Low
Resolution: Fixed
Affects Version/s: 4.5.0
Fix Version/s: 4.5.1, 4.6.0
Component/s: None
Labels:

Symptom Severity:
Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistics for it.

Affected versions:

Older than 4.5.1

Fix versions:

4.5.1, 4.6.0

Attachments

Issue Links

was cloned as

FE-6996 Missing permission check in review coverage REST endpoint - CVE-2017-18035

Closed

Activity

People

Assignee:

Unassigned

Reporter:

Adam Slaski

Participants:

Adam Slaski, David Black

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

18/Jan/2018 10:44 AM

Updated:

01/Feb/2018 10:49 AM

Resolved:

18/Jan/2018 10:53 AM

Last commented:

1 year, 28 weeks, 3 days ago